August 10, 2012

Facebook Launches New Reporting Tool For Phishing Scams

Facebook wants to know if people are receiving phishing emails that seek to trick members into revealing their personal account information.

The social network has launched a new email account -- [email protected] -- that accepts reports of any such phishing attempts, saying they will “investigate and request for browser blacklisting and site takedowns where appropriate.”

“We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we'll be able to identify victims, and secure their accounts,” the company wrote in a posting on its security blog.

“This new reporting channel will compliment internal systems we have in place to detect phishing sites attempting to steal Facebook user login information.”

“The internal systems notify our team, so we can gather information on the attack, take the phishing sites offline, and notify users. Affected users will be prompted to change their password and provided education to better protect themselves in the future.”

Phishing is any attempt to acquire personal information, such as usernames, passwords, or financial information, via impersonation or spoofing.

Phishing emails appear as if they are coming from legitimate sources, but are actually a fraudulent attempt by the sender to acquire personal information from unsuspecting recipients of these messages.

The emails might state that a user´s account has been compromised, and request that the user ℠verify their account´ by clicking on a link in the message and entering their username and password. The true intent of the messages, however, is to steal private data. Legitimate businesses will never send emails asking customers to click on a link and enter their personal data.

Because many people use the same usernames and passwords at banking and other websites, someone who tricks a Facebook member into disclosing their account information can often use that data to log on to other sites as well.

Facebook offered some tips from the Anti-Phishing Working Group (APWG) on how to recognize phishing emails. First and foremost, be suspicious of any email with urgent requests for login or financial information. Unless the email is digitally signed, there is no guarantee it wasn´t forged or “spoofed.” Additionally, never click on a link in an email, instant message, or chat to get to any web site if you suspect the message is not authentic, or if you don´t trust the sender. Instead, access the website directly.

“While rare, we hope that you forward us any phishing attempts you encounter. Together we can help keep these sites off the Web and hold the bad guys responsible,” Facebook said.